Automatic, private distribution of our test builds

One thing we are very lucky to have is a good community of people willing to test out unfinished builds of our software. That is a very valuable contribution to the process of developing usable, secure apps. So we want to make this process as easy as possible while keeping it as secure and private as possible. To that end, we have set up an FDroid repository of apps generated from the test builds that our build server generates automatically every time we publish new code.

After this big burst of development focused on FDroid, it has become clear that FDroid has lots of promise for becoming a complete solution for the whole process of delivering software from developers to users. We have tried other ways of delivering test builds like HockeyApp and Google Play’s Alpha and Beta channels and have found them lacking. The process did not seem as easy as it should be. And of course, both of them leave a lot to be desired when it comes to privacy of the users. So this is the first step in hopefully a much bigger project.

To use our new test build service, first install FDroid by downloading it from the official source: https://f-droid.org. Then using a QR Code scanner like Barcode Scanner, just scan the QR Code below, and send it to FDroid Repositories. You can also browse to this page on your Android device, and click the link below to add it to FDroid:

You can also use our test repo via an anonymized connection using the Tor Hidden Service (as of this moment, that means downloading an official FDroid v0.71 build). Just get Orbot and turn it on, and the following .onion address will automatically work in FDroid, as long as you have a new enough version (0.69 or later).

Oh! But, how do you check the package’s signature against the package without fdroid’s public key, or signing key, or whatever they use to generate the signatures? They all say “signed by fdroid” but there isn’t anywhere on the site or anywhere else I can find specific key that does the signing?

Thanks so much! The “apk signing key” part sure is confusing though. I eventually realized that if you open the apk and extract the .RSA file and rename the extension to .pem, you can add it to your keyring and examine it, checking it against the information posted at the above page. If I hadn’t figured out that for myself I would have had no idea what to do to verify my apk according the that table.